Rapid7 Vulnerability & Exploit Database

RHSA-2010:0824: mysql security update

Back to Search

RHSA-2010:0824: mysql security update

Severity
7
CVSS
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Published
06/07/2010
Created
07/25/2018
Added
11/11/2010
Modified
07/04/2017

Description

MySQL is a multi-user, multi-threaded SQL database server. It consists ofthe MySQL server daemon (mysqld) and many client programs and libraries.It was found that the MySQL PolyFromWKB() function did not sanity checkWell-Known Binary (WKB) data. A remote, authenticated attacker could usespecially-crafted WKB data to crash mysqld. This issue only caused atemporary denial of service, as mysqld was automatically restarted afterthe crash. (CVE-2010-3840)A flaw was found in the way MySQL processed certain alternating READrequests provided by HANDLER statements. A remote, authenticated attackercould use this flaw to provide such requests, causing mysqld to crash. Thisissue only caused a temporary denial of service, as mysqld wasautomatically restarted after the crash. (CVE-2010-3681)A directory traversal flaw was found in the way MySQL handled theparameters of the MySQL COM_FIELD_LIST network protocol command. A remote,authenticated attacker could use this flaw to obtain descriptions of thefields of an arbitrary table using a request with a specially-craftedtable name. (CVE-2010-1848)All MySQL users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing thisupdate, the MySQL server daemon (mysqld) will be restarted automatically.

Solution(s)

  • redhat-upgrade-mysql
  • redhat-upgrade-mysql-bench
  • redhat-upgrade-mysql-devel
  • redhat-upgrade-mysql-server

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;